Heather Mahalik, the author of Practical Mobile Forensics and SANS FOR585, has written a post about forensicating iOS 11 iMessages and SMS. The first thing to be noted, common mobile forensic tools not parsing these messages correctly, at least sometimes, especially timestamps, so the best way is to parse the sms.db contents manually. The thing is – you can see …

In this post Lionel Faleiro shows how to use Powerforensics, a PowerShell framework created for hard drive forensic analysis by Jared Atkinson, for Windows LNK forensic analysis.

Here is a guide on how to remotely dump Linux RAM with LiMEaide – a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your forensic workstation. The process includes six steps: Make a remote connection with specified client over SSH Transfer necessary build files to the remote machine Build the …

Phill Moore has written a nice post in his new blog – ThinkDFIR. This post will help you to understand what orphaned files are (of course if you still don’t know).

Jason Hale has published a post about the impact of VBS on memory acqusition. With Windows 10 and Server 2016, Microsoft added the option to enable various forms of virtualization-based security (VBS), such as Credential Guard, Device Guard, Application Guard, and more. In the post you will learn which tools to use to overcome these new features.

Yogesh Khatri has published a very useful post – he shows how to find the serial number of a Mac computer or laptop. There are a few system databases that store this information and make it available for forensic investigators to use: consolidated.db cache_encryptedA.db lockCache_encryptedA.db You can find information about the databases location in the original post.

In this post Jamie McQuaid from Magnet Forensics shows how to create Android physical images via custom recovery with AXIOM, step by step. Flashing a recovery image to an Android device will work on a phone even if it has a passcode lock, bypassing it completely and allowing you to acquire a full physical image of the device.

Another interesting article has been posted by Andrea Fortuna. This time he is writing about event logs recovery from a Windows memory image. The author uses two approaches, depending on OS version. If he deals with Windows XP and 2003, he uses evtlogs Volatility plugin, for other Windows versions he uses Willi Ballenthin’s EVTXtract.

Quentin Jerome from RawSec shared an article on carving Windows Event Logs in EVTX format. He gives a short overview of the EVTX file format, presents carving pseudo-algorithm and a bunch of experiments.

BlackBag Training Team has published a post about Mac memory imaging and analysis. They start from different ways of capturing RAM: with administrator’s password and via reboot (yes, reboot) with MacQuisition. The team finishes their post with analysis of captured image with BlackLight.